How will the GDPR impact open source communities?
This new regulation by the European Union will impact how organizations need to protect personal data on a global scale. The General Data Protection Regulation was approved by the EU Parliament on April 14, 2016, and will be enforced beginning May 25, 2018. The aim of the GDPR is to protect the personal data of individuals in the EU in an increasingly data-driven world. The GDPR applies to all organizations processing the personal data of data subjects residing in the European Union, irrelevant to its location. The GDPR brings many changes, strengthening data protection and privacy of EU persons, compared to the previous Directive.
EU persons get expanded rights by the GDPR. One of them is the right to ask an organization if, where and which personal data is processed. Upon request, they should also be provided with a copy of this data, free of charge, and in an electronic format if this data subject asks for it. It will need to have specific features such as obtaining and storing consent, extracting data and providing a copy in electronic format to a data subject, and finally the means to erase specific data about a data subject. Under the GDPR, a data breach occurs whenever personal data is taken or stolen without the authorization of the data subject.
Once discovered, you should notify your affected community members within 72 hours unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. As an organization, you will become responsible for keeping a register which will include detailed descriptions of all procedures, purposes etc for which you process personal data. I have covered some of the parts of the regulation that could be of impact to an open source community, raising awareness about the GDPR and its impact.
GDPR: The EU’s General Data Protection Regulation, explained
In May 2018, the General Data Protection Regulation, will take effect and change the rules of the road for companies that collect, store or process large amounts of user information. Without a doubt, the GDPR will be a significant factor in guiding Facebook’s data privacy policies moving forward. Given that many online businesses have European customers or users, whether or not they have offices or store data there, the EU is essentially setting a new global standard for data and privacy. It’s not just Facebook, Google and other big internet companies that will have to comply: Health care providers, insurers, banks and any other company dealing in sensitive personal data will also be on the hook. Read: EU to investigate Facebook and Cambridge Analytica data misuse.
The GDPR applies to any organization that collects, processes, manages or stores the data of European citizens. The GDPR essentially sets a new global standard for data protection. The regulation applies to a broad array of personal data including name, ID numbers and location, as well as IP addresses, cookies and other digital fingerprints. Facebook’s response is sure to be closely scrutinized by European regulators, given the company’s checkered past with regard to user data. The GDPR requires companies that have lost control over customer data, or who have been hacked, to notify users within 72 hours.
The GDPR requires businesses and organizations to obtain parental consent to process the personal data of children under the age of 16. The Transatlantic Consumer Dialogue, a coalition of US and European consumer groups, has called on Facebook to adopt the GDPR’s new standards including its expansive definition of personal data and requirement for rapid, comprehensive notification in case of a breach.
As a global company with customers in nearly every country in the world, protecting the personal data of our customers and their end-users continues to be a priority. GDPR represents an opportunity to continue our commitment in this area. LogMeIn already participates in the EU-U.S. and Swiss Privacy Shield Frameworks and is compliant with current applicable EU data protection rules. At LogMeIn, our ongoing compliance review and actions build on our existing investments in privacy, security, and the operational processes necessary to meet the applicable requirements of GDPR by May 25, 2018.
While the GDPR does not introduce significant new requirements to LogMeIn’s security and privacy practices and principles, we are hard at work to ensure GDPR compliance by the implementation date. Data Security:LogMeIn maintains rigorous technical and organizational security practices and measures both in how we handle customer Content, including any personal information located therein, but also in the capabilities our services and products to assist you in safeguarding your Content. We continue to evaluate industry standard practices with respect to data privacy and information security and strive to continuously meet or exceed those standards. This GDPR-compliant DPA ensures that any transfer of personal data outside the European Economic Area in connection with your relationship with LogMeIn will be performed in compliance with the GDPR. Privacy Shield:LogMeIn also demonstrates its commitment to maintaining appropriate privacy and security standards around the collection, use, transfer, and retention of personal data from the EU and Switzerland by participating in the EU-U.S.
and Swiss Privacy Shield Frameworks.